One key parameter that a developer must validate and protect is
the "path" parameter that can be set on any IIS Virtual Directory
or Site. This parameter points to folder path whether local or UNC
that will contain the data exposed through the IIS, this raises the
possiblity of exposing information that was not intended to be
exposed through IIS.

Here are some guidelines a developer should following when
designing an interface that interacts with the IIS Provider and
corresponding namespces.

User Interfaces or automation engines should build a valid path
from a protected list of known good local or UNC path roots.

The path parameter should not be based on any direct end-user
input.

Firewall rules should be configured such that the MPF Engine
servers can only establish RPC/NETBios connections with valid
FileServers.

User Interfaces or automation engines should perform basic
encoding on the path before setting the value of path.